b' FEDERAL INFORMATION SECURITY\n    MANAGEMENT ACT REPORT\n\n\nFiscal Year 2009 Evaluation of the Social Security\n      Administration\'s Compliance with the\n  Federal Information Security Management Act\n\n\n\n\n            November 2009      A-14-09-19047\n\n\n                Patrick P. O\xe2\x80\x99Carroll, Jr.\n                   Inspector General\n\x0c                                                      Mis s io n\nBy c o n d u c tin g in d e p e n d e n t a n d o b je c tive a u d its , e va lu a tio n s a n d in ve s tig a tio n s ,\nwe in s p ire p u b lic c o nfid e n c e in th e in te g rity a n d s e c u rity o f S S A\xe2\x80\x99s p ro g ra m s a n d\no p e ra tio n s a n d p ro te c t th e m a g a ins t fra u d, wa s te a n d a b us e . We p ro vid e tim e ly,\nu s e fu l a n d re lia b le info rm a tio n a n d a d vic e to Ad m in is tra tio n o ffic ia ls , Co n g re s s\na n d th e p u b lic .\n\n                                                    Au th o rity\nTh e In s p e c to r Ge n e ra l Ac t c re a te d in d e p e n d e n t a u d it a n d in ve s tig a tive u n its ,\nc a lle d th e Offic e o f Ins p e c to r Ge n e ra l (OIG). Th e m is s io n o f th e OIG, a s s p e lle d\no u t in th e Ac t, is to :\n\n   \xef\x81\xad Co n d u c t a n d s u p e rvis e in d e pe n d e n t a n d o b je c tive a u d its a n d\n     in ve s tig a tio n s re la ting to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad P ro m o te e c o n o m y, e ffe c tive n e s s , a n d e ffic ie n c y with in th e a ge nc y.\n   \xef\x81\xad P re ve n t a n d d e te c t fra u d , wa s te , a n d a b u s e in a ge n c y p ro g ra m s a n d\n     o p e ra tio n s .\n   \xef\x81\xad Re vie w a n d m a ke re c o m m e n d a tio n s re ga rd in g e xis tin g a n d p rop o s e d\n     le g is la tio n a n d re g u la tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad Ke e p th e a ge n c y h e a d a n d th e Co n g re s s fu lly a n d c u rre n tly in fo rm e d o f\n     p ro b le m s in a g e n c y p ro g ra m s a n d o pe ra tio n s .\n\n   To e n s u re o b je c tivity, th e IG Ac t e m p owe rs th e IG with :\n\n   \xef\x81\xad In d e p e n d e n c e to d e te rm in e wha t re vie ws to p e rfo rm .\n   \xef\x81\xad Ac c e s s to a ll in fo rm a tio n n e c e s s a ry fo r th e re vie ws .\n   \xef\x81\xad Au th o rity to p u b lis h fin d in g s a n d re c o m m e n d a tio n s b a s e d o n th e re vie ws .\n\n                                                       Vis io n\nWe s trive fo r c o n tin u a l im p ro ve m e n t in S S A\xe2\x80\x99s p ro g ra m s , o p e ra tio n s a n d\nm a n a g e m e n t b y p ro a c tive ly s e e kin g n e w wa ys to p re ve n t a n d d e te r fra u d , wa s te\na n d a b u s e . We c o m m it to in te g rity a n d e xc e lle n c e b y s u p p o rtin g a n e n viro n m e n t\nth a t p ro vid e s a va lu a b le p u b lic s e rvic e while e nc o u ra g in g e m p lo ye e d e ve lo p m e n t\na n d re te n tio n a n d fo s te rin g d ive rs ity a n d in n o va tio n .\n\x0c                                                SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:      November 17, 2009                                                            Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Fiscal Year 2009 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\n           Federal Information Security Management Act (A-14-09-19047)\n\n\n           OBJECTIVE\n           Our objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\n           overall security program and practices complied with the requirements of the Federal\n           Information Security Management Act of 2002 (FISMA) for Fiscal Year (FY) 2009. 1\n\n           BACKGROUND\n           FISMA provides the framework for securing the Government\xe2\x80\x99s information and\n           information systems. All agencies must implement the requirements of FISMA and\n           report annually to the Office of Management and Budget (OMB) and Congress on the\n           adequacy and effectiveness of their security programs. FISMA requires that each\n           agency develop, document, and implement an agency-wide information security\n           program. 2\n\n           OMB uses information reported pursuant to FISMA to evaluate agency-specific and\n           Government-wide security performance, develop the annual security report to\n           Congress, and assist in improving and maintaining adequate agency security\n           performance. OMB issued Memorandum M-09-29, FY 2009 Reporting Instructions for\n           the Federal Information Security Management Act and Agency Privacy Management, on\n           August 20, 2009. This year, OMB requires that agencies use an automated tool,\n           CyberScope, to submit the annual FISMA report. See Appendix C for additional\n           background.\n\n           SCOPE AND METHODOLOGY\n\n           FISMA directs each agency\xe2\x80\x99s Office of Inspector General (OIG) or an independent\n           external auditor, as determined by the Inspector General of the agency, to perform an\n           annual, independent evaluation of the effectiveness of the agency\xe2\x80\x99s information security\n\n           1\n               Pub. L. No. 107-347, Title III, Section 301.\n           2\n               Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(b), 44 U.S.C. \xc2\xa7 3544(b).\n\x0cPage 2 - The Commissioner\n\nprogram and practices. 3 SSA\xe2\x80\x99s OIG contracted with PricewaterhouseCoopers LLP\n(PwC) to assist in the audit of SSA\xe2\x80\x99s FY 2009 financial statements. 4 Because of the\nextensive internal control system review that is completed as part of that work, the OIG\nFISMA requirements were incorporated into PwC\xe2\x80\x99s financial statement information\ntechnology (IT) related work. This evaluation included reviews of SSA\xe2\x80\x99s mission-critical\nsensitive systems as described in the Government Accountability Office\xe2\x80\x99s Federal\nInformation System Controls Audit Manual (FISCAM). PwC performed an \xe2\x80\x9cagreed-upon\nprocedures\xe2\x80\x9d engagement using FISMA, OMB, National Institute of Standards and\nTechnology (NIST) guidance, FISCAM, and other relevant security laws and regulations\nas a framework to complete the required OIG review of SSA\xe2\x80\x99s information security\nprogram, practices, and sensitive systems. See Appendix D for more details on our\nScope and Methodology.\n\nSUMMARY OF RESULTS\nBased on the results of OIG and PwC\xe2\x80\x99s work, we determined that SSA generally\ncomplied with FISMA requirements for FY 2009; however, there are areas that need\nimprovement. SSA continues to work toward maintaining a secure environment for its\ninformation and systems. For example, SSA continues to have sound processes in a\nnumber of areas including certification and accreditation (C&A), configuration\nmanagement, privacy, and system inventory.\n\nAlthough the Agency continues to protect its information and systems, our FY 2009\nfinancial statement audit identified a significant deficiency in the Agency\xe2\x80\x99s controls over\naccess to its information. SSA did not continually assess individuals\xe2\x80\x99 access to the\nAgency\xe2\x80\x99s mainframe information. It should be noted that a financial statement\nsignificant deficiency in internal controls does not necessarily rise to the level of a\nsignificant deficiency as defined under FISMA. 5 The FY 2009 financial statement audit\nsignificant deficiency does not rise to the level of a significant deficiency defined under\nFISMA because of other compensating controls the Agency has in place, such as\n\n\n3\n    Pub. L. No. 107-347, Title III, Section 301, 44 U.S.C. \xc2\xa7 3545(b)(1).\n4\n OIG Contract Number GS-23F-0165N, March 16, 2001. FY 2009 option was exercised in December\n2008.\n5\n  Government Accountability Office, Government Auditing Standards, section 5.11: A significant\ndeficiency with regard to financial audits is defined as a deficiency in internal control, or combination of\ndeficiencies, that adversely affects the entity\xe2\x80\x99s ability to initiate, authorize, record, process, or report\nfinancial data reliably in accordance with Generally Accepted Accounting Principles such that there is\nmore than a remote likelihood that a misstatement of the entity\xe2\x80\x99s financial statements that is more than\ninconsequential will not be prevented or detected. OMB FY 2009 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, August 20, 2009, page 9 states\na significant deficiency as a weakness in an agency\xe2\x80\x99s overall information systems security program or\nmanagement control structure, or within one or more information systems that significantly restricts the\ncapability of the agency to carry out its mission or compromises the security of its information, information\nsystems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that\nthe agency head and outside agencies must be notified and immediate or near immediate corrective\naction must be taken.\n\x0cPage 3 - The Commissioner\n\nintrusion detection systems, guards, closed circuit televisions, automated systems\nchecks, configuration management, and firewalls.\n\nWe also noted several areas that would enhance SSA\xe2\x80\x99s security over its systems and\nsensitive information. SSA should ensure:\n\n      \xe2\x80\xa2   implementation of OIG\xe2\x80\x99s computer security program audit recommendations;\n      \xe2\x80\xa2   implementation of effective system access controls;\n      \xe2\x80\xa2   effective strategic planning that addresses future processing needs;\n      \xe2\x80\xa2   protection of personally identifiable information (PII);\n      \xe2\x80\xa2   full implementation of its vulnerability remediation policy;\n      \xe2\x80\xa2   employees and contractors receive security awareness and specialized security\n          training;\n      \xe2\x80\xa2   proper incident handling and notification; and\n      \xe2\x80\xa2   continued improvements in its C&A security assessments.\n\nIMPLEMENTATION OF OIG COMPUTER SECURITY PROGRAM\nRECOMMENDATIONS\n\nAccording to FISMA, each agency is required to implement an agency-wide information\nsecurity program \xe2\x80\x9c. . . to provide information security for the information and information\nsystems that support the operations and assets of the agency.\xe2\x80\x9d 6 The Chief Information\nOfficer (CIO) is responsible for ensuring agency compliance with FISMA and\ndesignating a senior agency information security officer to head an office with the\nmission and resources to assist the CIO in ensuring agency compliance with FISMA. 7\nIn September 2009, we completed a follow-up audit of our 2001 review of SSA\xe2\x80\x99s\ncomputer security program. 8 We found that SSA continued to have a decentralized/\nfragmented information security management structure. We also found that the Office\nof the CIO did not have sufficient delegated authority and resources to carry out its\nresponsibilities for SSA\xe2\x80\x99s information security program. To help ensure an effective\nsecurity program, SSA needs to have a centralized security structure with sufficient\ndelegated authority and resources. Further, SSA needs to have all staff responsible for\ndeveloping an agency-wide security policy report to the CIO. Had SSA implemented\nthe recommendations from our June 2001 report, 9 some of the findings discussed in this\nreport may not have occurred.\n\n\n\n\n6\n    Pub. L. No. 107-347, Title III, Section 301(b)(1) \xc2\xa7 3544(b), 44 U.S.C. \xc2\xa7 3544(b).\n7\n    Pub. L. No. 107-347, Title III, Section 301(b)(1) \xc2\xa7 3544(a)(3), 44 U.S.C. \xc2\xa7 3544(a)(3).\n8\n Follow-up: The Social Security Administration\xe2\x80\x99s Computer Security Program Compliance (A-14-09-\n19048) September 24, 2009.\n9\n Management Advisory Report - Compliance of the Social Security Administration\xe2\x80\x99s Computer Security\nProgram with Applicable Laws and Regulations (A-13-98-12044), June 14, 2001.\n\x0cPage 4 - The Commissioner\n\nIMPLEMENTATION OF EFFECTIVE SYSTEM ACCESS CONTROLS\n\nOMB Circular A-123 Significant Deficiency\n\nControlling and limiting access to the Agency\xe2\x80\x99s information systems and resources is\nthe first line of defense in ensuring the confidentiality, integrity, and availability of the\nAgency\xe2\x80\x99s information resources. 10 Lack of adequate access controls compromises the\ncompleteness, accuracy, and validity of the information in the systems.\n\nOur audit of SSA\xe2\x80\x99s FY 1997 financial statements identified access controls as a\nreportable condition. 11 Since 1997, SSA has worked to establish sufficient access\ncontrols, as evidenced by the use of TOP SECRET software and the initiation of the\nStandardized Security Profile Project (SSPP). 12 Further, the Agency made significant\nprogress identifying and establishing a baseline for security access to its financially\nsignificant mainframe applications, security administration tools, and operating systems.\nAs a result, in FY 2005, the access control issue was removed as a reportable\ncondition.\n\nHowever, our FY 2009 financial statement audit identified a significant deficiency13 in\nthe Agency\xe2\x80\x99s control of access to its sensitive information. SSA needs to periodically\nrecertify individuals\xe2\x80\x99 security accesses to Agency mainframe computers. Moreover, a\npolicy had not been established and consistently implemented agency-wide to\nperiodically reassess the content of security access to ensure that employees and\ncontractors are given least-privilege accesses for their job responsibilities. Further, SSA\nwas unable to consistently provide evidence that Agency management reviewed\nsecurity accesses or "profiles" 14 to determine whether system data, transactions, and\nresources for financially significant applications, systems, and related tools were in line\nwith the concept of least privilege.\n\nLocal Profiles\n\nSSA used local profiles to allow quick changes to access rights. These changes can\nonly occur for access that the component security officers can administer. Local profiles\nare not included in the TOP SECRET tracking (TSTRAC) process. The TSTRAC\nprocess is a sequence of SSA \xe2\x80\x9cchecks and balances\xe2\x80\x9d for requesting, obtaining, and\nchanging access to protect SSA data, applications, and resources. During the financial\n10\n     Information Systems Security Handbook, Section 2.1.\n11\n  A reportable condition is a control deficiency or combination of control deficiencies that in\nmanagement\xe2\x80\x99s judgment represent significant deficiencies in the design or operation of internal control\nthat could adversely affect the organization\'s ability to meet its internal control objectives.\n12\n     SSPP is a project to ensure programmers only have the least system privilege.\n13\n     See Footnote 5.\n14\n  A profile is one of TOP SECRET\xe2\x80\x99s primary access control mechanisms. Each profile contains a unique\nmix of facilities and transactions that determines what access to systems resources that specific position\nneeds.\n\x0cPage 5 - The Commissioner\n\nstatement audit, approximately 3,650 local profiles were identified. We identified 101 of\nthe 3,650 local profiles as having access to financially significant applications. Our tests\nfound that the Agency had not been properly managing and monitoring these 101 local\nprofiles. Our testing on non-financially significant local profiles was limited. We plan to\nexpand our review in FY 2010 to determine whether these profiles have any significant\nimpact on SSA\xe2\x80\x99s non-financial systems.\n\nOther Access Control Weaknesses\n\nSSA should continue to work to strengthen access controls in other areas. Our audit\nwork in FYs 2007 through 2009 identified a need for SSA to strengthen employment\nsuitability checks for SSA contractor personnel. 15 For example, we found that a number\nof contractor staff did not receive background checks. Therefore, these individuals\nshould not have been permitted to work on-site at an SSA facility or have access to\nAgency program or sensitive information. Additionally, we determined that certain\nprogrammers had excessive access to production data for specific SSA systems. SSA\nshould ensure that individuals only have access to the systems that are necessary to\nperform their jobs. As a result of these weaknesses, SSA\xe2\x80\x99s sensitive data could have\nbeen compromised.\n\nA strong security plan is required as SSA increases dependence on the Internet and\nWeb-based applications to serve the American public. Additionally, SSA needs to\nimprove its review and assignment of access to sensitive information systems and the\ndata contained therein. Further, SSA management should implement a policy that\nrequires annual reviews of the assignment of profiles and the content of these profiles.\nThe scope of the policy should include all profiles, and the process should be consistent\nand auditable.\n\nEFFECTIVE STRATEGIC PLANNING THAT ADDRESSES FUTURE PROCESSING\nNEEDS\n\nEffective strategic planning is critical to SSA\xe2\x80\x99s ability to address future processing needs\nand protect its sensitive data. Several OIG reports have identified a need for SSA to\nimprove its IT long-term strategic planning. 16 SSA\xe2\x80\x99s IT strategic planning documents\nare task-oriented in nature and need to be more strategic. If SSA had a long-term and\n\n\n\n15\n  The Social Security Administration\'s Information Technology Maintenance and Local Area Network\nRelocation Contract (A-14-07-17022), May 21, 2007; The Social Security Administration\xe2\x80\x99s Enterprise-\nWide Network Infrastructure Contract (A-14-08-18014), September 2, 2008; and The Social Security\nAdministration\'s Oversight of MDRC Contract No. SS00-06-60075 (A-15-08-18010), December 22, 2008.\n16\n  The Social Security Administration\xe2\x80\x99s Information Resources Management Strategic Plan\n(A-14-07-27133), September 28, 2007; Quick Response Evaluation: The Social Security Administration\xe2\x80\x99s\nAbility to Address Future Processing Requirements (A-44-09-19098), March 16, 2009; Quick Response\nEvaluation: The Social Security Administration\xe2\x80\x99s Disaster Recovery Process (A-14-09-29139),\nJune 5, 2009; Congressional Response Report: The Social Security Administration\xe2\x80\x99s Information\nTechnology Strategic Planning (A-44-09-29120), June 29, 2009; and Processing Capacity of the Social\nSecurity Administration\xe2\x80\x99s Durham Support Center (A-14-09-19100), September 30, 2009.\n\x0cPage 6 - The Commissioner\n\ncomprehensive IT Strategic Planning process in place, the significant infrastructure and\nelectrical capacity issues currently affecting the National Computer Center (NCC) may\nhave been avoided. Further, the current NCC replacement effort would not be an\nexercise in crisis management. Because of the significant infrastructure and electrical\ncapacity issues, the Agency\xe2\x80\x99s ability to deliver services to the American public is at risk.\nThe American Recovery and Reinvestment Act of 2009 provided SSA $500 million to\nreplace the NCC. 17 Proper long-term and comprehensive strategic planning will help\nSSA ensure the NCC replacement meets its near- and long-term needs.\n\nIn addition to the NCC replacement, SSA needs to address its ability to recover critical\ndata processing operations in the event of disaster. The Agency\xe2\x80\x99s goal is to restore\ncritical functions within 24 hours of a disaster. Currently, it will take SSA approximately\n10 days to reach 34 percent of its production capacity. SSA\xe2\x80\x99s current disaster recovery\nplan is heavily dependent on the availability of a contracted facility that is available on a\nfirst-come, first-served basis. SSA has constructed a second data center, known as the\nDurham Support Center (DSC). The current plan shows the DSC to be fully functional 18\nin 2013; however, we were advised that steps have been taken to ensure the DSC will\nhave the mainframe capacity to perform all critical NCC workloads 19 by 2010. The DSC\nwould prove to be an important option should the NCC be affected by a catastrophic\nevent that affects the Northeast region. Our FY 2009 reviews recommended that SSA\naccelerate the use of the DSC as a fully functioning data center\xe2\x80\x94with particular\nemphasis on using the DSC as the disaster recovery site for the NCC. 20\n\n\n\n\n17\n     Pub. L. No. 111-5, Division A, Title VIII, H.R. 1-71.\n18\n  A data center is fully functional when it will process a portion of SSA\'s critical and non-critical\nworkloads. Each data center will back up the data assets of the other. The centers will be designed so\nthat, in the event of a disaster, the critical workloads of one will be assumed by the other. Non-critical\nworkloads will be deferred until the impacted center is restored to full operations or the capacity of the\nunaffected center can be expanded.\n19\n  SSA\xe2\x80\x99s critical workloads are enumeration and claims administration for benefits and post-entitlements\nunder Titles II and XVI.\n20\n  Quick Response Evaluation: The Social Security Administration\'s Disaster Recovery Process\n(A-14-09-29139), February 17, 2009 and Processing Capacity of the Social Security Administration\xe2\x80\x99s\nDurham Support Center (A-14-09-19100), September 30, 2009.\n\x0cPage 7 - The Commissioner\n\nPROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION\n\nOMB has issued guidance 21 on how Federal agencies should safeguard PII. 22 For\nexample, the current FISMA reporting guidance 23 requires that SSA include the\nfollowing items as an appendix to its annual FISMA report:\n\n        \xe2\x80\xa2    breach notification policy, if it has changed significantly since last year\xe2\x80\x99s\n             report;\n        \xe2\x80\xa2    progress update on eliminating unnecessary use of Social Security numbers\n             (SSN); and\n        \xe2\x80\xa2    progress update on review and reduction of holdings of PII.\n\nSSA has taken various steps to safeguard PII. It created a PII Portal Website that\ndefined SSA managers\xe2\x80\x99 and employees\xe2\x80\x99 responsibilities to ensure the confidentiality of\nthe information they collect and hold. SSA also established a PII Executive Steering\nCommittee to provide oversight as well as make recommendations on Agency PII policy\nto the Commissioner as well as other groups to oversee the public Internet site and\ninternal Intranet sites. For example, the Agency established the Web Steering\nCommittee to facilitate coordination between responsible components on the\ndevelopment, management, and maintenance of its Internet site. In addition, SSA\nestablished the Internet and Intranet Application Standards Workgroups to oversee the\nInternet and Intranet sites.\n\nSSA can still improve its efforts to protect PII. For example, we identified instances of\nPII on the Agency\xe2\x80\x99s Intranet. 24 SSA has attempted to mitigate these PII breaches by\nremoving the PII from the public domain. However, our search of SSA\xe2\x80\x99s Intranet sites\ndetected 179 instances of PII being displayed. We found most of this PII on regional\nIntranet sites maintained by SSA\xe2\x80\x99s Office of Disability Adjudication and Review. In\naddition, we found 11 other instances of exposed PII on other SSA Intranet sites\ncontaining Agency training manuals. After we notified SSA officials about the exposed\nPII, it was immediately removed from the Intranet sites.\n\nWe reported that the Agency lacked a designated component to monitor PII issues\nrelated to SSA\xe2\x80\x99s Internet and Intranet sites. Moreover, SSA had not developed clear\n\n21\n   OMB Memorandum M-09-29, supra at cover pages; OMB Memorandums M-08-09, New FISMA\nPrivacy Reporting Requirements for FY 2008, January 18 2008; M-07-16, Safeguarding Against and\nResponding to the Breach of Personally Identifiable Information, May 22, 2007; and M-06-19, Reporting\nIncidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency\nInformation Technology Investments, July 12, 2006.\n22\n   PII refers to information that can be used to distinguish or trace an individual\'s identity, such as his/her\nname, Social Security number, biometric records etc., alone, or when combined with other personal or\nidentifying information that is linked or linkable to a specific individual such as date and place of birth, or\nmother\'s maiden name.\n23\n   OMB Memorandum M-09-29, supra at cover pages.\n24\n  Protecting Personally Identifiable Information on the Social Security Administration\xe2\x80\x99s Intranet Sites\n(A-12-09-29118), August 19, 2009.\n\x0cPage 8 - The Commissioner\n\nand relevant content standards for safeguarding PII on its Websites. SSA\xe2\x80\x99s lack of\ncontrols may have contributed to PII being displayed on the Agency\xe2\x80\x99s Intranet sites.\nSSA should ensure that controls to protect PII are fully developed and implemented in\naccordance with OMB guidance.\n\nFULL IMPLEMENTATION OF SSA\xe2\x80\x99S VULNERABILITY REMEDIATION POLICY\n\nFISMA requires that agencies implement an information security program that includes\na process for planning, implementing, evaluating, and documenting remedial action to\naddress any deficiencies in the Agency\xe2\x80\x99s information security policies, procedures, and\npractices. 25 OMB requires that agencies have a Plan of Action and Milestones\n(POA&M) process to manage their remediation of security vulnerabilities. 26 In FY 2009,\nSSA implemented a new automated system called Cyber Security Assessment and\nManagement, to manage its remediation process. SSA has an adequate remediation\npolicy, but the policy has not been fully implemented. For example, some of the\ndeficiencies in the Agency\xe2\x80\x99s information security policies, procedures, and practices\nwere not tracked by Cyber Security Assessment and Management, and some Agency\ncomponent quarterly remediation status reports were not provided to the Office of the\nCIO. We also found some deficiencies were not remediated timely. SSA should\nstrengthen its POA&M process to ensure all deficiencies are tracked and appropriately\naddressed timely. Further, Agency components should provide timely remediation\nstatus reports to the Office of the CIO as required by Agency policy. 27\n\nENSURE EMPLOYEES AND CONTRACTORS RECEIVE SECURITY AWARENESS\nAND SPECIALIZED SECURITY TRAINING\n\nFISMA and OMB require that all Agency personnel and contractors receive appropriate\nannual security awareness and specialized security training. 28 The Agency states that\nits approach to providing information security training to all SSA employees and system\nusers follows the guidelines in OMB Circular A-130, Appendix III, 29 which indicates that\n\n25\n     Pub. L. No. 107-347, Title III, Section 301(b) \xc2\xa7 3544(b)(6), 44 U.S.C. \xc2\xa7 3544(b)(6).\n26\n OMB M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones,\nOctober 17, 2001.\n27\n     Information Systems Security Handbook, Appendix U.\n28\n   OMB M-09-29, supra at page 17, states \xe2\x80\x9c\xe2\x80\xa6the agency is responsible for ensuring the contractor\npersonnel receive appropriate training (i.e., user awareness training and training on agency policy and\nprocedures).\xe2\x80\x9d Pub. L. No. 107-347, Title III, Section 301(b) \xc2\xa7 3544(a)(4) requires each agency head to\nensure that the agency has trained personnel sufficient to assist the agency in complying with the\nrequirements of this subchapter and related policies, procedures, standards, and guidelines. OMB M-07-\n16, Attachment 1 \xc2\xa7 A.2.d states \xe2\x80\x9cAgencies must initially train employees (including managers) on their\nprivacy and security responsibilities before permitting access to agency information and information\nsystems. Thereafter, agencies must provide at least annual refresher training to ensure employees\ncontinue to understand their responsibilities... Additional or advanced training should also be provided\ncommensurate with increased responsibilities or change in duties.\xe2\x80\x9d\n29\n     Section A.3.a.2.b.\n\x0cPage 9 - The Commissioner\n\nall individuals must be appropriately trained to fulfill their security responsibilities before\nthey are granted access to agency systems. FISMA requires that each agency develop,\ndocument, and implement an agency-wide information security program. 30 NIST\nrecommends agencies monitor the compliance and effectiveness of their security\nawareness training programs. 31 An automated tracking system should be designed to\ncapture key information regarding program activity (for example, courses, dates,\naudience, costs, and sources). The tracking system should capture these data at an\nagency level, so they can be used to provide enterprise-wide analysis and reporting\nregarding awareness, training, and education initiatives. 32\n\nWe found that SSA\xe2\x80\x99s security awareness and training program had two deficiencies:\n\n      1. SSA did not have an effective process to confirm that all users with log-in\n         privileges completed annual security awareness training before accessing the\n         Agency\xe2\x80\x99s systems.\n      2. SSA did not have an effective process to monitor compliance and effectiveness\n         of the security awareness and specialized security training program.\n\nSSA could not provide sufficient documentation to support that its employees and\ncontractors completed the required security awareness and specialized security training\nbefore accessing the Agency\xe2\x80\x99s systems. Moreover, SSA stated that all employees and\ncontractor personnel received appropriate security awareness and security training.\nHowever, Agency staff could only provide evidence that 16 of 45 users in our sample\nreceived specialized training. We also found that some contractors were provided\naccess to SSA\'s systems before they received the security awareness statement. We\nrecommend SSA develop a system or process that adequately confirms all users with\nlog-in privileges complete annual security awareness training. Further, SSA needs to\nestablish an automated tracking system to create, review, and maintain security\nawareness training records for all employees and contractors as evidence of\ncompliance with OMB A-130, FISMA, and NIST guidelines.\n\nENSURE PROPER INCIDENT HANDLING AND NOTIFICATION\n\nSSA only reported 35 percent of the PII incidents to US-CERT within 1 hour. OMB\nrequires that agencies report all PII incidents within 1 hour of detection without\ndistinguishing between suspected and confirmed breaches.33 SSA management said it\nstrives to comply with the OMB timeframes; however, SSA conducts additional research\n\n30\n     Pub. L. No. 107-347, Title III, Section 301(b) \xc2\xa7 3544(b), 44 U.S.C. \xc2\xa7 3544(b).\n31\n  NIST Special Publication (SP) 800-50 Building an Information Technology Security Awareness and\nTraining Program, October 2003, page ES-1 states \xe2\x80\x9cWithin agency IT security program policy, there must\nexist clear requirements for the awareness and training program.\xe2\x80\x9d\n32\n     NIST 800-50, supra at section 6.1.\n33\n  OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and\nIncorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006.\n\x0cPage 10 - The Commissioner\n\nto confirm the PII incident actually occurred. As a result, valuable time is lost before law\nenforcement agencies and US-CERT are notified and can begin their investigations.\nFurther, since SSA waits to confirm a PII incident instead of immediately reporting a\nsuspected PII incident, the Agency is not in compliance with OMB policy. 34\n\nIn addition, FISMA requires that agencies notify and consult with law enforcement\nagencies and their OIGs regarding security incidents, as appropriate. 35 Further, SSA\xe2\x80\x99s\nAdministrative Instructions Manual System (AIMS) states that \xe2\x80\x9c. . . In the event of loss,\ntheft or damage to SSA controlled personal property; employees are to report promptly\nto the appropriate custodial officer, through their immediate supervisor.\xe2\x80\x9d 36 In FY 2009,\nSSA reported that 37 incidents were reported to law enforcement. The custodial\nofficers notify building security, Federal Protective Service, and/or local police of\nsuspected thefts.37 We sampled 5 of the 37 incidents reported to law enforcement and\nfound that OIG did not receive notice of the 5 incidents; however, the Agency\xe2\x80\x99s Change,\nAsset, and Problem Reporting System showed that all 5 incidents were forwarded to\nlaw enforcement agencies. We did not contact other law enforcement agencies to verify\nwhether the five sampled incidents were reported.\n\nSSA needs to comply with OMB Memorandum M-06-19 38 and ensure proper handling\nof security incidents from the time of detection to final resolution.\n\n\n\n\n34\n     Id.\n35\n     Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (b)(7)(C)(i), 44 U.S.C. \xc2\xa7 3544 (b)(7)(C)(i).\n\n36\n Administrative Instruction Manual System, Materiel Resources Manual, Chapter 4 Property\nManagement, Section 04.05.05 A.\n37\n     AIMS, supra at section 04.05.05 B.2.\n38\n     See Footnote 34.\n\x0cPage 11 - The Commissioner\n\nCONTINUED IMPROVEMENTS IN C&A SECURITY ASSESSMENTS\n\nSSA conducted C&A reviews 39 for its 20 major systems in the past 3 years, as required\nby FISMA. 40 To test SSA\xe2\x80\x99s compliance with OMB 41 and NIST guidance, 42 we reviewed\n4 of the 10 systems certified in FY 2009. We found SSA\xe2\x80\x99s C&A process generally met\nthe requirements of NIST SP 800-37. 43\n\nAlthough SSA generally met the Federal requirements for C&As, it needs to improve the\nsecurity assessment process to ensure security weaknesses are identified. As reported\nin our FY 2008 FISMA assessment, SSA\xe2\x80\x99s security assessments were largely based on\nless effective assessment methods, such as examinations and interviews. 44 SSA made\nsome improvements during the FY 2009 C&A process by significantly increasing the\nuse of the test method 45 to assess the effectiveness of its security controls. However,\nthere were weaknesses relating to access control, contingency planning, and other\nareas tested that should have been identified in the C&A review process. We\nrecommend SSA continue to improve its C&A process by increasing the usage of the\ntest assessment method.\n\n\n\n\n39\n   According to NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal\nInformation Systems, May 2004, security certification is a comprehensive assessment of the\nmanagement, operational, and technical security controls in an information system, made in support of\nsecurity accreditation, to determine the extent to which the controls are implemented correctly, operating\nas intended, and producing the desired outcome with respect to meeting the security requirements for the\nsystem. Security accreditation is the official management decision given by a senior agency official to\nauthorize operation of an information system and to explicitly accept the risk to agency operations,\nagency assets, or individuals based on the implementation of an agreed-upon set of security controls.\n40\n  OMB Memorandum M-09-29, page 11, states \xe2\x80\x9cC&A is required for all Federal information systems.\xe2\x80\x9d\nThis OMB guidance also indicates that section 3544(b)(3) of FISMA refers to \xe2\x80\x9csubordinate plans for\nproviding adequate information security for networks, facilities, and systems or groups of information\nsystems\xe2\x80\x9d and does not distinguish between major or other applications.\n\n41\n OMB Memorandum M-09-29, supra, FY 2009 FISMA Reporting, Annual FISMA Reporting Inspector\nGeneral Questions, Question 5.\n42\n NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems,\nMay 2004.\n43\n     Id.\n44\n   NIST SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems,\nJuly 2008, page 9, defined 3 security control assessment methods: examine, interview and test. The\nexamine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more\nassessment objects. The interview method is the process of conducting discussions with individuals or\ngroups of individuals within an organization to once again, facilitate assessor understanding, achieve\nclarification, or obtain evidence. The test method is the process of exercising one or more assessment\nobjects (i.e., activities or mechanisms) under specified conditions to compare actual with expected\nbehavior.\n45\n     Id.\n\x0cPage 12 - The Commissioner\n\nCONCLUSIONS AND RECOMMENDATIONS\nOur FY 2009 FISMA evaluation determined that SSA generally complied with FISMA;\nhowever, some improvements are needed. SSA worked with us to identify ways to\ncomply with FISMA. The Agency continues to develop, implement, and operate security\ncontrols to protect its sensitive data, assets and operations.\n\nIn our prior reports, we identified similar issues related to SSA\xe2\x80\x99s (1) computer security\nprogram, (2) access controls, (3) strategic planning, (4) protection of PII, (5) vulnerability\nremediation process, (6) employee and contractor security awareness training,\n(7) incident reporting, and (8) C&A process. We affirm our prior recommendations in\nthese areas and encourage the Agency to fully implement these recommendations.\n\nSSA should continue to strengthen its overall security program and practices and\nensure future compliance with FISMA and other information security related laws and\nregulations; therefore, we recommend SSA:\n\n1. Ensure system access controls are fully implemented to meet least privilege criteria\n   for all users of SSA\xe2\x80\x99s systems. This includes regular monitoring of access to SSA\xe2\x80\x99s\n   systems.\n\n\n\n\n                                                  Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Office of the Inspector General Response to Annual Federal Information\n            Security Management Act of 2002 Reporting Inspector General\n            Questions\n\nAPPENDIX C \xe2\x80\x93 Background and Current Security Status\n\nAPPENDIX D \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX E \xe2\x80\x93 The Social Security Administration\xe2\x80\x99s Certified and Accredited Systems\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                           Appendix A\n\nAcronyms\nAIMS          Administrative Instructions Manual System\nC&A           Certification and Accreditation\nCIO           Chief Information Officer\nDSC           Durham Support Center\nFIPS          Federal Information Processing Standard\nFISCAM        Federal Information System Controls Audit Manual\nFISMA         Federal Information Security Management Act of 2002\nFY            Fiscal Year\nIT            Information Technology\nNCC           National Computer Center\nNIST          National Institute of Standards and Technology\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nPIA           Privacy Impact Assessment\nPII           Personally Identifiable Information\nPub. L. No.   Public Law Number\nPOA&M         Plan of Action and Milestones\nPwC           PricewaterhouseCoopers LLP\nSP            Special Publication\nSSA           Social Security Administration\nSSN           Social Security Number\nSSPP          Standardized Security Profile Project\nTSTRAC        TOP SECRET Tracking\nU.S.C.        United States Code\nUS-CERT       United States Computer Emergency Readiness Team\n\x0c                                                                           Appendix B\nOffice of the Inspector General Response to Annual Federal Information\nSecurity Management Act of 2002 Reporting Inspector General Questions\n\n\n\n          Annual FISMA Reporting Inspector General Questions\n\nAgency Name: Social Security Administration                         Submission date: 11/18/09\n\n                                 Question 1: FISMA Systems Inventory\n\nIdentify the number of Agency and Contractor systems by component and FIPS 199 impact level\n(low, moderate, high) reviewed.\n                                          a.                     b.                    c.\n                                    Agency Systems            Contractor        Total Number of\n                                                              Systems         Systems (Agency and\n                                                                              Contractor systems)\n                    FIPS 199                                                                Total\nSocial Security      System       Total      Number     Total       Number     Total       Number\nAdministration    Impact Level   Number     Reviewed   Number      Reviewed   Number      Reviewed\n                  High               0          0         0            0          0              0\n                  Moderate          10         10         0            0         10             10\n                  Low               10         10         0            0         10             10\n                  Not\n                  Categorized        0          0         0            0          0              0\n Agency Totals    Total             20         20         0            0         20             20\n\n\n\n\n                                              B-1\n\x0cQuestion 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\nFor the Total Number of Reviewed Systems Identified by Component/Bureau and FIPS System\nImpact Level in the table for Question 1, identify the number and percentage of systems which\nhave: a current certification and accreditation, security controls tested and reviewed within the past\nyear, and a contingency plan tested in accordance with policy.\n                                        a.                      b.                       c.\n                                    Number of         Number of systems          Number of systems\n                                 systems certified      for which security    which contingency plans\n                                  and accredited       controls have been        have been tested in\n                                                      tested and reviewed      accordance with policy\n                                                         in the past year\n\n\n                    FIPS 199\nSocial Security      System        Total Number           Total Number              Total Number\nAdministration    Impact Level\n                  High                   0                     0                          0\n                  Moderate               10                    10                         9\n                  Low                    10                    10                        10\n                  Not\n                  Categorized            0                     0                          0\nAgency Totals     Total                  20                    20                        19\nThe Security Management Access Control System was not included in the Agency\xe2\x80\x99s annual\nDisaster Recovery Exercise.\n\n\n\n\n                                              B-2\n\x0c  Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System\n                                             Inventory\nThe Agency performs oversight and evaluation to ensure information systems used or operated by a\ncontractor of the Agency or other organization on behalf of the Agency meet the requirements of\nFISMA, OMB policy and NIST guidelines, national security policy, and Agency policy.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of\ntheir Agency or other organization on behalf of their Agency; therefore, self reporting by contractors\ndoes not meet the requirements of law. Self-reporting by another Federal Agency, for example, a\nFederal service provider, may be sufficient. Agencies and service providers have a shared\nresponsibility for FISMA compliance.\n  3a.    Does the Agency have policies for oversight of contractors?              Yes\n         3a(1).     Is the policy implemented?                                    Yes\n         Does the Agency have a materially correct inventory of major\n  3b.    information systems (including national security systems) operated       Yes\n         by or under the control of such Agency?\n         Does the Agency maintain an inventory of interfaces between the\n  3c.    Agency systems and all other systems, such as those not operated         Yes\n         by or under the control of the Agency?\n         Does the Agency require agreements for interfaces between\n  3d.    systems it owns or operates and other systems not operated by or         Yes\n         under the control of the Agency?\n  3e.    The Agency inventory is maintained and updated at least annually.        Yes\n         The IG generally agrees with the CIO on the number of Agency-\n  3f.                                                                             Yes\n         owned systems.\n         The IG generally agrees with the CIO on the number of information\n  3g.    systems used or operated by a contractor of the Agency or other          Yes\n         organization on behalf of the Agency.\n\n\n\n\n                                              B-3\n\x0c     Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\n\nAssess whether the Agency has developed, implemented, and is managing an Agency-wide Plan of\nAction and Milestones (POA&M) process:\n                   Has the Agency developed and\n                   documented an adequate policy that\n                   establishes a POA&M process for             Yes\n       4a.         reporting IT security deficiencies and\n                   tracking the status of remediation efforts?\n                              Has the Agency fully             No - The policy was implemented,\n                   4a(1).\n                              implemented the policy?          but weaknesses were identified.\n                   Is the Agency currently managing and\n       4b.                                                     Yes\n                   operating a POA&M process?\n                   Is the Agency\'s POA&M process an\n                   Agency-wide process, incorporating all\n                   known IT security weakness, including\n                   IG/external audit findings associated with\n       4c.                                                     Yes\n                   information systems used or operated by\n                   the Agency or by a contractor of the\n                   Agency or other organization on behalf of\n                   the Agency?\n                   Does the POA&M process prioritize IT\n                   security weakness to help ensure\n       4d.         significant IT security weaknesses are      Yes\n                   corrected in a timely manner and receive\n                   appropriate resources?\n                   When an IT security weakness is\n                   identified, do program officials (including\n       4e.         CIOs, if they own or operate a system)      Yes\n                   develop, implement, and manage\n                   POA&Ms for their system(s)?\n                   For Systems Reviewed:\n                   4f(1). Are deficiencies tracked and         No - We identified vulnerabilities\n                   remediated in a timely manner?              that were not addressed timely.\n                                                               No \xe2\x80\x93 SSA\xe2\x80\x99s tracking system did not\n                                                               provide sufficient information on\n                   4f(2). Are the remediation plans effective  how vulnerabilities were corrected.\n                   for correcting the security weakness?       We could not conclude whether the\n       4f.                                                     Agency\xe2\x80\x99s remediation plans for the\n                                                               items we reviewed were effective.\n                                                               No - We found some remediation\n                                                               plans were marked as delayed or\n                                                               not started as the plans\n                   4f(3). Are the estimated dates for\n                                                               approached its completion date.\n                   remediation reasonable and adhered to?\n                                                               We also found some remediation\n                                                               plans did not contain completion\n                                                               dates.\n\n\n\n                                            B-4\n\x0c                                                               No \xe2\x80\x93 The Agency could not provide\n                     Do Program officials and contractors\n                                                               evidence that some Program\n                     report their progress on security\n       4g.                                                     officials reported progress on\n                     weakness remediation to the CIO on a\n                                                               security weakness remediation on a\n                     regular basis (at least quarterly)?\n                                                               quarterly basis.\n                     Does the Agency CIO centrally track,\n                     maintain, and independently\n       4h.                                                     Yes\n                     review/validate POA&M activities on at\n                     least a quarterly basis?\n\n             Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the Agency\'s Certification and Accreditation (C&A) process,\nincluding adherence to existing policy, guidance, and standards. Agencies shall follow NIST Special\nPublication 800-37, "Guide for the Security Certification and Accreditation of Federal Information\nSystems" (May 2004) for C&A work initiated after May 2004. This includes use of the FIPS 199\n(February 2004) "Standards for Security Categorization of Federal Information and Information\nSystems," to determine a system impact level, as well as associated NIST documents used as\nguidance for completing risk assessments and security plans. Provide explanatory detail in the area\nprovided.\n             Has the Agency developed and\n             documented an adequate policy for              Yes\n    5a.\n             establishing a C&A process that follows\n             the NIST framework?\n             Is the Agency currently managing and\n    5b.      operating a C&A process in compliance         Yes\n             with its policies?\n                                                           5c(1). Appropriate risk\n                                                                                     Yes\n                                                           categories\n                                                           5c(2). Adequate risk\n                                                                                     Yes\n                                                           assessments\n                                                           5c(3). Selection of\n                                                                                     Yes\n             For Systems reviewed, does the C&A            appropriate controls\n    5c.\n             process adequately provide:                   5c(4). Adequate testing\n                                                                                     Yes\n                                                           of controls\n                                                           5c(5). Regular\n                                                           monitoring of system\n                                                                                     Yes\n                                                           risks and the adequacy\n                                                           of controls\n             For systems reviewed, is the Authorizing\n             Official (AO) presented with complete and\n             reliable C&A information to facilitate an\n    5d.                                                    Yes\n             informed system Authorization to Operate\n             (ATO) decision based on risks and\n             controls implemented?\n\n\n\n\n                                             B-5\n\x0c  Question 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment\n                                             (PIA) Process\nProvide a qualitative assessment of the Agency\'s process, as discussed in the SAOP section, for\nprotecting privacy-related information, including adherence to existing policy, guidance and\nstandards. Provide explanatory information in the area provided.\n             Has the Agency developed and documented adequate\n   6a.       policies that comply with OMB guidance in M-07-16, M-06-15, Yes\n             and M-06-16 for safeguarding privacy-related information?\n             Is the Agency currently managing and operating a privacy\n   6b.       program with appropriate controls in compliance with its           Yes\n             policies?\n             Has the Agency developed and documented an adequate\n   6c.                                                                          Yes\n             policy for PIAs?\n             Has the Agency fully implemented the policy and is the\n   6d.       Agency currently managing and operating a process for              Yes\n             performing adequate PIAs?\n                               Question 7: Configuration Management\n   7a.       Is there an Agency-wide security configuration policy?             Yes\n             For each OS/platform/system for which your Agency has a configuration policy, please\n             indicate the status of implementation for that policy.\n\n             OS/Platform/         Implementation          Monitoring Compliance\n               System                 Status              (if Policy fully implemented)\n\n             Microsoft         Policy fully implemented\n             Windows XP\n             Professional      What tools and techniques is your Agency using for monitoring\n                               compliance?\n\n                                Tool/Technique/Technology         Category\n  7a(1).                        System Center Configuration       Configuration Scanners\n                                Manager\n                                System Center Configuration       Patch Scanners\n                                Manager\n                                NESSUS; Harris STAT               Vulnerability Scanners\n             HP HP-UX 11       Policy fully implemented\n\n                               What tools and techniques is your Agency using for monitoring\n                               compliance?\n\n                                Tool/Technique/Technology         Category\n                                CA PCM                            Patch Scanners\n                                CA PCM                            Configuration Scanners\n                                CA PCM                            Vulnerability Scanners\n\n\n\n\n                                            B-6\n\x0cIBM AIX 5        Policy fully implemented\n\n                 What tools and techniques is your Agency using for monitoring\n                 compliance?\n\n                  Tool/Technique/Technology        Category\n                  CA PCM                           Patch Scanners\n                  CA PCM                           Configuration Scanners\n                  CA PCM                           Vulnerability Scanners\nIBM OS390        Policy fully implemented\n\n                 What tools and techniques is your Agency using for monitoring\n                 compliance?\n\n                  Tool/Technique/Technology        Category\n                  SSA Developed Scripts            Configuration Scanners\nMicrosoft        Policy fully implemented\nWindows\nServer 2003      What tools and techniques is your Agency using for monitoring\n                 compliance?\n\n                  Tool/Technique/Technology        Category\n                  System Center Configuration      Patch Scanners\n                  Manager\n                  System Center Configuration      Configuration Scanners\n                  Manager\n                  NESSUS; Harris STAT              Vulnerability Scanners\nOracle           Policy fully implemented\nDatabase 10g\n                 What tools and techniques is your Agency using for monitoring\n                 compliance?\n\n                  Tool/Technique/Technology        Category\n                  APP Detective                    Patch Scanners\n                  APP Detective                    Configuration Scanners\n                  APP Detective                    Vulnerability Scanners\nSun Solaris 9    Policy fully implemented\n\n                 What tools and techniques is your Agency using for monitoring\n                 compliance?\n\n                  Tool/Technique/Technology        Category\n                  CA PCM                           Patch Scanners\n                  CA PCM                           Configuration Scanners\n                  CA PCM                           Vulnerability Scanners\nSun Solaris 10   Policy fully implemented\n\n                 What tools and techniques is your Agency using for monitoring\n                 compliance?\n\n\n\n\n                             B-7\n\x0c                          Tool/Technique/Technology        Category\n                          CA PCM                           Patch Scanners\n                          CA PCM                           Configuration Scanners\n                          CA PCM                           Vulnerability Scanners\n\n\n       Microsoft         Policy fully implemented\n       Windows\n       Server 2000       What tools and techniques is your Agency using for monitoring\n                         compliance?\n\n                          Tool/Technique/Technology        Category\n                          System Center Configuration      Patch Scanners\n                          Manager\n                          System Center Configuration      Configuration Scanners\n                          Manager\n                          NESSUS; Harris STAT              Vulnerability Scanners\n       Microsoft         Policy fully implemented\n       Windows Vista\n                         What tools and techniques is your Agency using for monitoring\n                         compliance?\n\n                          Tool/Technique/Technology        Category\n                          System Center Configuration      Patch Scanners\n                          Manager\n                          System Center Configuration      Configuration Scanners\n                          Manager\n                          NESSUS; Harris STAT              Vulnerability Scanners\n       CISCO IOS 12      Policy fully implemented\n\n                         What tools and techniques is your Agency using for monitoring\n                         compliance?\n\n                         Tool/Technique/Technology         Category\n                         SSA Developed Scripts             Patch Scanners\n                         SSA Developed Scripts             Configuration Scanners\n       IBM DB2 8         Policy fully implemented\n\n                         What tools and techniques is your Agency using for monitoring\n                         compliance?\n\n                         No Entries\n\n\n      Indicate the status of the implementation of Federal Desktop\n      Core Configuration (FDCC) at your Agency:\n                                              Agency has\n7b.                                           documented\n      7b(1).                                  deviations from FDCC   Yes\n                                              standard\n                                              configuration.\n\n\n                                      B-8\n\x0c                                                     New Federal                 No; however, the\n                                                     Acquisition Regulation      Office of Acquisition\n                                                     2008-004 language,          and Grants and the\n                                                     which modified "Part        Office of\n                                                     39\xe2\x80\x94Acquisition of           Telecommunications\n            7b(2).                                   Information                 and Systems\n                                                     Technology", is             Operations are\n                                                     included in all             collaborating to get the\n                                                     contracts related to        correct common\n                                                     common security             configuration language\n                                                     settings.                   into the contracts.\n\n                                  Question 8: Incident Reporting\n\n\n            How often does the Agency comply with documented policies\n   8a.                                                                             90 - 100%\n            and procedures for identifying and reporting incidents internally?\n\n            How often does the Agency comply with documented policies\n   8b.                                                                              35%\n            and procedures for timely reporting of incidents to US-CERT?\n\n            How often does the Agency comply with documented policy and\n   8c.                                                                             90% - 100%\n            procedures for reporting to law enforcement?\n\n                            Question 9: Security Awareness Training\n\nProvide an assessment of whether the Agency has provided IT security awareness training to all\nusers with log-in privileges, including contractors. Also provide an assessment of whether the\nAgency has provided appropriate training to employees with significant IT security responsibilities.\n            Has the Agency developed and documented an adequate\n            policy for identifying all general users, contractors, and\n   9a.      system owners/employees who have log-in privileges,           Yes\n            and providing them with suitable IT security awareness\n            training?\n            Report the following for your Agency:\n            9b(1). Total number of people with log-in privileges to\n                                                                          87,140\n            Agency systems.\n                                                                          74,307 \xe2\x80\x93 For the\n            9b(2). Number of people with log-in privileges to Agency      individuals reviewed, the\n            systems that received information security awareness          Agency was unable to\n            training during the past fiscal year, as described in NIST    provide documentation to\n   9b.      Special Publication 800-50, "Building an Information          show that all individuals\n            Technology Security Awareness and Training Program\xe2\x80\x9d.          received security\n                                                                          awareness training.\n            9b(3). Total number of employees with significant\n                                                                          325\n            information security responsibilities.\n            9b(4). Number of employees with significant security          325 \xe2\x80\x93 For the individuals\n            responsibilities that received specialized training, as       reviewed, the Agency was\n            described in NIST Special Publication 800-16,                 unable to provide\n\n\n                                              B-9\n\x0c      \xe2\x80\x9cInformation Technology Security Training Requirements:        documentation to show\n      A Role- and Performance-Based Model\xe2\x80\x9d.                          that all individuals received\n                                                                     specialized security\n                                                                     training.\n                       Question 10: Peer-to-Peer File Sharing\n      Does the Agency explain policies regarding the use of\n10.   peer-to-peer file sharing in IT security awareness training,   Yes\n      ethics training, or any other Agency-wide training?\n\n\n\n\n                                       B-10\n\x0c                                                                                           Appendix C\n\nBackground and Current Security Status\nThe Federal Information Security Management Act of 2002 (FISMA) requires that\nagencies create protective environments for their information systems. It does so by\ncreating a framework for annual information technology (IT) security reviews,\nvulnerability reporting, and remediation planning, implementation, evaluation, and\ndocumentation. 1 In Fiscal Year (FY) 2005, the Social Security Administration (SSA)\nresolved the long-standing internal controls reportable condition concerning its\nprotection of information. 2 However, during the FY 2009 financial statement audit,\nSSA\xe2\x80\x99s management of access to its systems was identified as a significant deficiency. 3\nSSA continues to work with us and PricewaterhouseCoopers LLP to further improve the\nsecurity and the protection of information and information systems and resolve other\nissues observed during prior FISMA reviews.\n\nThe Office of Management and Budget (OMB) continues to stress the importance of\nprotecting the public\xe2\x80\x99s privacy and personally identifiable information (PII). For\nexample, OMB Memorandum M-07-16, Safeguarding Against and Responding to the\nBreach of Personally Identifiable Information, mandates agencies to increase efforts to\nreduce the use of PII collected and held. OMB Memorandum M-09-29, FY 2009\nReporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management, required that agencies provide a\n\n\xe2\x80\xa2     breach notification policy, if it has changed significantly since last year\xe2\x80\x99s report;\n\xe2\x80\xa2     progress update on eliminating unnecessary use of Social Security numbers; and\n\xe2\x80\xa2     progress update on review and reduction of holdings of PII.\n\n\n\n1\n    Pub. L. 107-347, Title III, Section 301, 44 U.S.C. \xc2\xa7 3544(a)(1), (a)(2), and (b)(1).\n2\n    SSA\xe2\x80\x99s FY 2005 Performance and Accountability Report, page 164.\n3\n  Government Accountability Office, Government Auditing Standards, section 5.11: A significant\ndeficiency with regard to financial audits is defined as a deficiency in internal control, or combination of\ndeficiencies, that adversely affects the entity\xe2\x80\x99s ability to initiate, authorize, record, process, or report\nfinancial data reliably in accordance with Generally Accepted Accounting Principles such that there is\nmore than a remote likelihood that a misstatement of the entity\xe2\x80\x99s financial statements that is more than\ninconsequential will not be prevented or detected. OMB FY 2009 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, August 20, 2009, page 9 states\na significant deficiency as a weakness in an agency\xe2\x80\x99s overall information systems security program or\nmanagement control structure, or within one or more information systems that significantly restricts the\ncapability of the agency to carry out its mission or compromises the security of its information, information\nsystems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that\nthe agency head and outside agencies must be notified and immediate or near immediate corrective\naction must be taken.\n\n                                                        C-1\n\x0cThis report informs Congress and the public about SSA\xe2\x80\x99s security performance and\nfulfills OMB\'s requirement under FISMA to submit an annual report to Congress. It\nprovides OMB an assessment of SSA\xe2\x80\x99s IT security strengths and weaknesses and a\nplan of action to improve performance. OMB requires that agencies use an automated\ntool, CyberScope, to submit the annual FISMA report.\n\n\n\n\n                                        C-2\n\x0c                                                                                         Appendix D\n\nScope and Methodology\nThe Federal Information Security Management Act of 2002 (FISMA) directs each\nagency\xe2\x80\x99s Office of Inspector General (OIG) to perform, or have an independent external\nauditor perform an annual independent evaluation of the agency\xe2\x80\x99s information security\nprogram and practices as well as a review of an appropriate subset of agency systems.1\nWe contracted with PricewaterhouseCoopers LLP (PwC) to assist with the Social\nSecurity Administration\xe2\x80\x99s (SSA) Fiscal Year (FY) 2009 financial statement audit.\nBecause of the extensive internal control system work that is completed as part of that\naudit, our FISMA review requirements were incorporated into the PwC financial\nstatement audit contract. This evaluation included Federal Information System Controls\nAudit Manual (FISCAM) level reviews of SSA\xe2\x80\x99s mission critical sensitive systems. PwC\nperformed an \xe2\x80\x9cagreed-upon procedures\xe2\x80\x9d engagement using FISMA, Office of\nManagement and Budget (OMB) Memorandum M-09-29, FY 2009 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement, National Institute of Standards and Technology guidance, FISCAM, and\nother relevant security laws and regulations as a framework to complete the OIG-\nrequired review of SSA\xe2\x80\x99s information security program and practices and its sensitive\nsystems. We also considered the security implications of OMB Memorandum M-07-16.\n\nThe results of our FISMA evaluation are based on our FY 2009 financial statement audit\nand working papers related to its agreed-upon procedures engagement as well as\nvarious audits and evaluations performed by this office. We also reviewed the final draft\nof the Chief Information Officer and Senior Agency Official for Privacy 2009 Annual\nFISMA Report.\n\nOur major focus was an evaluation of SSA\xe2\x80\x99s plan of action and milestones (POA&M)\nprocess, configuration management, incident management, privacy, certifications and\naccreditations (C&A), security awareness and training, and systems inventory\nprocesses. Our evaluation of SSA\xe2\x80\x99s POA&Ms included an analysis of the C&A Web\nsolution used by the Agency and its related policies. We also reviewed SSA\xe2\x80\x99s updated\nsystems inventory and the policy for the update processes.\n\nWe performed field work at SSA facilities nationwide from March to October 2009. We\nconsidered the results of other OIG audits performed in FY 2009. We conducted this\nperformance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objectives.\n\n\n\n\n1\n    Pub. L. No. 107-347, Title III, section 301, 44 U.S.C \xc2\xa7 3545 (a)(1), (a)(2), and (b)(1).\n\x0c                                                                         Appendix E\n\nThe Social Security Administration\xe2\x80\x99s Certified and\nAccredited Systems\n#                            System                                      Acronym\n                 General Support Systems\n1   Audit Trail System                                        ATS\n2   Web Comprehensive Integrity Review Process                CIRP\n\n3   Death Alert, Control and Update System                    DACUS\n\n4   Debt Management System                                    DMS\n5   Quality System                                            Quality System\n\n6   Integrated Disability Management System                   IDMS\n\n7   Enterprise Wide Mainframe & Distributed Network           EWANS\n    Telecommunications Services System\n8   FALCON Data Entry System                                  FALCON\n\n9   Human Resources Management Information System             HRMIS\n\n10 Integrated Client Database System                          ICDB\n\n11 Security Management Access Control System                  SMACS\n12 Recovery of Overpayments, Accounting, and Reporting        ROAR\n   System\n13 Social Security Online Accounting & Reporting System       SSOARS\n14 Security Unified Measurement System                        SUMS\n\n\n                      Major Applications\n1   Electronic Disability System                              eDib\n2   Earnings Record Maintenance System                        ERMS\n3   Retirement, Survivors & Disability Insurance Accounting   RSDI \xe2\x80\x93 Accounting\n    System\n4   Social Security Number Establishment and Correction       SSNECS\n    System\n5   Supplemental Security Income Record Maintenance System    SSIRMS\n\n6   Title II System                                           Title II\n\x0c                                                                     Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Brian Karpe, Director, Information Technology Audit Division\n\n   Phil Rogofsky, Audit Manager, Information Technology Audit Division\n\nAcknowledgments\n\nIn addition to the persons named above:\n\n   Al Darago, Lead Auditor\n\n   Grace Chi, Auditor-in-Charge\n\n   Tina Nevels, Auditor\n\n   Michael Zimmerman, Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-09-19047.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Science, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Governmental Affairs, U.S.\nSenate\nChairman and Ranking Minority Member, Committee on Commerce, Science and\nTransportation, U.S. Senate\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'